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DIGITALEUROPE, the voice of the digital technology industry in Europe, welcomes the European Commission’s 
“non-paper” “Improving cross-border access to electronic evidence: Findings from the expert process and 
suggested way forward.” . We participated in the stakeholder workshops and continue to support the DG HOME- 
DG JUST task force effort to tackle the difficult jurisdictional and other challenges that must be resolved to 
develop a common approach in the EU. 








DIGITALEUROPE would like to reiterate that our members take their responsibility to maintain the safety, security, 
and privacy of millions of users in the EU seriously. Our members are also committed to being transparent in the 
way they execute these responsibilities. 


As stated in DIGITALEUROPE’s submission to the Commission task force from 3 March 2017, our members 
recognise that there are situations where they need to assist law enforcement agencies carrying out 
investigations into criminal activity. However, our members also acknowledge that the legal framework governing 
cross-border requests should be clarified and we are eager to continue to work with all relevant stakeholders on 
these important issues. 


The non-paper focuses on both practical measures to improve cooperation with service providers within the 
existing legal framework, and on possible legislative measures for “increased legal certainty, transparency and 
accountability.” As these options will be examined in the upcoming JHA Council meeting, DIGITALEUROPE would 
like to emphasize some points relevant to the non-paper that we raised in our previous submission to the task 
force, and to add additional comments. 


Regarding practical measures, DIGITALEUROPE strongly supports the European Commission’s effort to find 
workable solutions to improve cooperation with service providers within the existing framework. 


e We believe that the creation of a single point of contact for law enforcement/judiciary requests, which 
has shown real improvements in countries where it exists, is an example of how cooperation can lead to 
workable solutions. 


e An online tool containing all the applicable national laws as well as a description of who has authority to 
submit requests would also provide tangible improvements and contribute to a common understanding 
for all relevant stakeholders. 


e DIGITALEUROPE members also strongly support coordinated trainings and ‘train-the-trainers’ 
programmes as well as other practical ways to achieve meaningful improvements in cooperation. 


e Requests to access to data also need to respect procedural safeguards and the rule of law. Accordingly, 
any request has to be “reasoned”, based on law and subject to review and decision by a court or an 
independent administrative body; be limited to what is strictly necessary for the investigation in question 
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and target individuals implicated in the crime. Authorities shall also notify the user concerns and 
companies should have the ability to do so. 


We welcome that many of these suggestions were incorporated in the non-paper, which also starts to elaborate 
on the fundamental rights aspects of the disclosure of e-evidence. 


Furthermore, any potential solutions should in no way lead to a requirement for a service provider to reverse 
engineer, provide back doors or any other technology mandates to weaken the security of its service. Service 
providers must have the ability to continue to deploy the best possible technologies to ensure the security, 
integrity and confidentiality of their services, such as encryption. It is important to recognize that any back doors 
would only lead to a weakening of data security and privacy of the entire digital ecosystem. 


DIGITALEUROPE has also expressed our support for the European Commission’s efforts to modernise 
international cooperation, in particular the efforts to improve EU-US cooperation on cross-border access to e- 
Evidence and the dedicated funding of such initiatives. 


e DIGITALEUROPE members strongly believe that in order to avoid conflicting laws, there should be a 
robust, principled, and transparent framework to govern lawful requests for data across jurisdictions, 
such as improved mutual legal assistance treaty (“MLAT”) processes. Where the laws of one jurisdiction 
conflict with the laws of another, it is incumbent upon governments to work together to resolve such 
conflicts. 


e The non-paper suggests EU level bi- and multilateral agreements with key partner countries such as the 
US. We encourage such efforts. 


The Commission suggests in the non-paper that implementation of all the practical measures it outlines should 
be pursued. Regarding legislative measures, the Commission services “seek the views of the Council regarding 
the feasibility and necessity of legislative measures.” 


As the Council considers the feasibility and necessity of such measures, it should ensure that any measures 
towards a potential EU framework do not create additional conflict of law situations. The EU should not attempt 
to authorize extraterritorial seizures of data controlled and/or entirely stored outside the EU. Cross border data 
demands from the EU to the US, or vice versa, need to be resolved via international agreement, as mentioned 
above. Unilateral assertions of jurisdiction by either EU member states, the US or others, risks creating conflicts 
of laws, given the restrictions on data transfers or disclosures imposed on service providers by legal requirements 
in laws such as the Stored Communications Act in the US and for example by the GDPR in the EU. As the 
Commission’s Non-Paper notes, any extraterritorial reach of EU data seizure rules should anticipate that other 
nations could impose reciprocal rules to demand the data of Europeans in Europe, potentially impacting EU 
citizens’ fundamental rights. 


DIGITALEUROPE therefore questions the suggested option in the non-paper to a “legislative solution to facilitate 
direct access.” In this context, we understand direct access to mean law enforcement access to computer 
systems through a suspect’s own device — so-called “legal hacking” — without the involvement of any service 
provider. Given the drastic nature of such measures, and the likelihood of violating fundamental rights as well as 
sovereign interests of other nations, the necessity and proportionality of such measures should be carefully 
considered. If these measures should be desired at all, strong safeguards and limitations should be clearly spelled 
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out to prevent any misuse of “legal hacking.” We have seen only recently the serious issues that can arise from 
so called Vulnerability Stockpiling of software. 


As mentioned above, any solutions found at EU level need to respect the rule of law and fundamental rights. The 
jurisprudence from the European Court of Human Rights (“ECHR”) and the CJEU should be taken into account. 


Any solution to improving criminal justice in cyberspace must consider the need for users of cloud technology 
services—whether individuals, governments, or organizations—to be accorded the same protections for their e- 
evidence as for the information they commit to paper, including the right to be notified that their data is being 
accessed. 


DIGITALEUROPE members are acutely aware that customers often do not want to put their data in a cloud 
infrastructure outside their national borders in part due to the concern that law enforcement in another country 
could obtain their data. This concern is driven by a lack of clarity in the laws as to whether an individual or a user 
could contest the government’s demand in the same way as they could before they had moved information to 
the cloud. 


Any new framework must address this core concern and possible inhibitor to adoption of cloud technologies. 
Potential customers will naturally be reluctant to take advantage of cloud technology if they perceive that their 
privacy protections will be reduced by such technologies. 


The European Commission’s December 2016 progress report stated that the rules on when notice has to take 
place vary widely or are entirely absent. A key component to any solution should therefore address the issue of 
user notification. Unless service providers are bound by a Court Order not to disclose a data request due to the 
fact that it would jeopardise the investigation, it is important that our members are able to notify users. 


Last, but not least, we regret to see that the non-paper does not acknowledge or mention the ongoing 
negotiations on the European Electronic Communications Code and the ePrivacy Regulaiton proposals, which 
touch many of the issues discussed above. It is essential that the EU strives for an integrated approach and holistic 
solution, as opposed to looking at the challenges in silos. 


CONCLUSION 


DIGITALEUROPE commends the European Commission for its work on the e-evidence initiative and remains 
committed to working with the Commission to find solutions to these challenging, but important questions. 


For more information please contact: 
Damir Filipovic, DIGITALEUROPE’s Director (Digital Consumer and Enterprise Policy) 
+32 2 609 53 25 or damir.filipovic@ digitaleurope.org 
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ABOUT DIGITALEUROPE 


DIGITALEUROPE represents the digital technology industry in Europe. Our members include some of the world's largest IT, 
telecoms and consumer electronics companies and national associations from every part of Europe. DIGITALEUROPE wants 
European businesses and citizens to benefit fully from digital technologies and for Europe to grow, attract and sustain the 
world's best digital technology companies. 


DIGITALEUROPE ensures industry participation in the development and implementation of EU policies. DIGITALEUROPE’s 
members include 61 corporate members and 37 national trade associations from across Europe. Our website provides 
further information on our recent news and activities: http://www.digitaleurope.org 


DIGITALEUROPE MEMBERSHIP 


Corporate Members 





Airbus, Amazon Web Services, AMD, Apple, BlackBerry, Bose, Brother, CA Technologies, Canon, Cisco, Dell, Dropbox, Epson, 
Ericsson, Fujitsu, Google, Hewlett Packard Enterprise, Hitachi, HP Inc., Huawei, IBM, Intel, iQor, JVC Kenwood Group, Konica 
Minolta, Kyocera, Lenovo, Lexmark, LG Electronics, Loewe, Microsoft, Mitsubishi Electric Europe, Motorola Solutions, NEC, 
Nokia, Nvidia Ltd., Océ, Oki, Oracle, Panasonic Europe, Philips, Pioneer, Qualcomm, Ricoh Europe PLC, Samsung, SAP, SAS, 
Schneider Electric, Sharp Electronics, Siemens, Sony, Swatch Group, Technicolor, Texas Instruments, Toshiba, TP Vision, 
VMware, Western Digital, Xerox, Zebra Technologies. 


National Trade Associations 














Austria: |OO Greece: SEPE Spain: AMETIC 

Belarus: INFOPARK Hungary: IVSZ Sweden: Foreningen 
Belgium: AGORIA Ireland: TECHNOLOGY IRELAND Teknikforetagen i Sverige, 
Bulgaria: BAIT Italy: ANITEC IT&Telekomforetagen 
Cyprus: CITEA Lithuania: INFOBALT Switzerland: SWICO 
Denmark: DI Digital, IT-BRANCHEN Netherlands: Nederland ICT, FIAR Turkey: Digital Turkey Platform, ECID 
Estonia: ITL Poland: KIGEIT, PIIT, ZIPSEE Ukraine: IT UKRAINE 
Finland: TIF Portugal: AGEFE . : 

France: AFNUM, Force Numérique, Sane ANIS, APDETIC Unten Kingdom stock 
Tech in France Slovakia: ITAS 

Germany: BITKOM, ZVEI Slovenia: GZS 
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